Snort update, broken.

YellowSnowIsBad · 01-07-2011, 04:09 AM

Hmm.. i didn't know which board to put this on, but anyway.

i am having trouble updating snort on ubuntu lucid. It seems that there is one line in the config file that prevents snort from starting up in daemon mode.

Code:

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
output database: log, mysql, user=snortuser password=monkeyb0i dbname=snortdb host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
# <debian>
# Keep your paws off of these (#DBSTART#) and (#DBEND#) tokens
# or you *will* break the configure process (snort-pgsql/snort-mysql only)
# Anything you put between them will be removed on (re)configure.
#
# (#DBSTART#)
output database: log, mysql,  
# (#DBEND#)
#
# </debian>
#

if i remove that line i can update no problem, but when i issue an apt dist-upgrade, that particular line is re-added and, for some reason, unable to finish the installation process.

Quote:

root@lame:/var/log# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Setting up snort-mysql (2.8.5.2-2build1) ...
* Stopping Network Intrusion Detection System snort * No running snort instance found
* Starting Network Intrusion Detection System snort [fail]
invoke-rc.d: initscript snort, action "start" failed.
dpkg: error processing snort-mysql (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
snort-mysql
E: Sub-process /usr/bin/dpkg returned an error code (1)

Thanks.

Noway2 · 01-07-2011, 05:01 AM

The error indicates that something is wrong in the database configuration.Dumb question, but do you have the properly configured MySQL databases for snort? In other words, do you have a database named snortdb, and a user, snortuser, with suitable permissions and a valid password on that database?

Running dpkg --reconfigure on snort should allow you to go through the setup process again if you don't.

I would also search on Ubuntuforums.org in their security section. Bodhi Zazen has written some excellent how-to documents on installing snort under Ubuntu. There is a newer version that uses the snort in the repositories and then there is the older version where you compiled snort manually from source (before it had MySQL capability).

YellowSnowIsBad · 01-07-2011, 11:23 PM

Yeah, I do have it configured correctly. Like I said before, it runs fine as long as I don't attempt to update it. When I try to update it, that line is added to the config file, which breaks the installation. I have to remove it every time before it will run.

there is no --reconfigure for dpkg, just --configure.

Code:

dpkg --help | grep -i reconfigure

outputs nothing.

running --configure spits out the following.

Quote:

$ dpkg --configure snort-mysql
Setting up snort-mysql (2.8.5.2-2build1) ...
* Stopping Network Intrusion Detection System snort
* No running snort instance found
* Starting Network Intrusion Detection System snort [fail]
invoke-rc.d: initscript snort, action "start" failed.
dpkg: error processing snort-mysql (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
snort-mysql

like I said, it runs fine if I remove that line from the config. It says specifically to run --reconfigure ( which doesn't exists ) and when I run --configure, it's broken.

:S

Thanks for your time.

Noway2 · 01-08-2011, 09:39 AM

I apologize for the mistake on the reconfigure command. It has been a long time since I have used it. It is 'dpkg-reconfigure' not dpkg --reconfigure. In other words, the command is dpkg-reconfigure, not --reconfigure being an option of dpkg.

If you haven't already try reading the documentation in my earlier post (link). It also looks like there is an Ubuntu specific installation guide. One of the things listed that may be related to your issue is that it looks like the line should read (with appropriate values filled in):
[code]output database: log, mysql, dbname=snort user=snortusr host=localhost[/quote] However, the warning says that this line will be automatically updated. Consequently, there is probably something that needs to be modified in one of the configuration files.

Personally, I use the earlier version where I compiled it from source rather than using the repository edition. The downside is that you won't get the automatic updates with the repositories, but I think it helps avoid some of these issues. There was also a change recently that impacted the Base PHP viewer. I can't recall all the details, but there is/was a version incompatibility I think with the PHP and graphing libraries. Just something to watch out for.